Configure an IPv6 ACE

Configure an IPv6 ACE to filter traffic based on Source IPv6 address, Destination IPv6 address, IPv6 next header, and IPv6 traffic class, and routed packets only.

Source IPv6 and destination IPv6 support equal (eq) and mask operators. Next header and traffic class attributes support the equal (eq) operator. The equal to rule operator looks for an exact match with the field defined. If the field matches exactly with the rule, the system will return a match (hit). ACL-based filters provide the mask operator to match on Layer 2, Layer 3, and Layer 4 packet fields. The mask operator is used to mask bits in packet fields during a search or to match on a partial value of a packet field.

Before you begin

  • The ACL exists with the IPv6 packet type. You can only configure ACE IPv6 attributes to filter on an IPv6 packet.

  • The ACE exists.

About this task

The eq and mask parameters specify an operator for a field match condition: equal to or mask. The mask operator is an implied eq on the mask bits.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Create and name an ACE:

    filter acl ace <1-2048> <1-2000> [name Word<1–32>]

  3. Configure an ACE for the destination IPv6 address attribute:

    filter acl ace ipv6 <1-2048> <1-2000> dst–ipv6 eq WORD<0–255>

    OR

    filter acl ace ipv6 <1-2048> <1-2000> dst-ipv6 mask WORD<1–128> WORD<0–255>

  4. Configure an ACE for the source IP address attribute:

    filter acl ace ipv6 <1-2048> <1-2000> src—ipv6 eq WORD<0–255>

    OR

    filter acl ace ipv6 src-ipv6 <1-2048> <1-2000> mask WORD<1–128> WORD<0–255>

  5. Specify the next header of the IP header:

    filter acl ace ipv6 <1-2048> <1-2000> nxt-hdr eq {fragment|hop-by-hop|icmpv6|ipsecah|ipsecesp|noHdr|routing|tcp|udp|undefined}

    You must configure next header to configure the protocol attributes.

  6. Specify the traffic class attribute of the IPv6 header:

    filter acl ace ipv6 <1-2048> <1-2000> traffic-class eq WORD<0–255>

  7. Configure an ACE for routed packets only:

    filter acl ace ipv6 <1-2048> <1-2000> routed-only

  8. Ensure that your configuration is correct:

    show filter acl ipv6 <1-2048> <1-2000>

Example

Switch:1(config)#filter acl ace ipv6 15 15 dst-ipv6 eq 30:0:0:0:0:0:0:ffff/64
9039040-00 Rev AB